sheeplog
su: pam_start: System error (FreeBSD 14) 17 Mar 2025
After upgrading a FreeBSD system or jail to version 14-RELEASE it may happen that any command involving PAM will fail with the following error:
1
su: pam_start: System error
It will even fail silently when using ezjail-admin console <jail-name> and
just not open a jail console.
Problem
The reason probably is that your system or jail has the OPIE plugin
configured in its PAM config in /etc/pam.d/system (or any other file in /etc/pam.d):
1
2
3
4
# ...
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
# ...
OPIE means One Password In Everything and implements an OTP mechanism. In FreeBSD 14 this PAM plugin was deprecated and eventually has been removed.
Solution
Dependending on your requirements you can do the following:
- If you donβt explicitly need OPIE, completely remove the plugin by removing
the respective lines from
/etc/pam.d/system -
If you depend on OPIE, you can install the plugin from ports via
1
make -C /usr/ports/security/opie install clean
